Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Trojan.Virtumonde [RESOLVED]

Phugga

Posted 27 April 2008 - 04:43 PM

Phugga

Member

Member

19 posts

Hello everyone! For some reason or other, after I downloaded a file, (which seemed clean), my anti-virus detected a trojan virtumonde and terminated the application. I thought this was the end of it, but it seems it has caused many more problems.

My start up moniter is showing that a program named BMd3d35e05, is trying to register the exacutable Rundll32.exe "C:\WINDOWS\system32\mjyavhuq.dll" to run at startup. It asks me whether I would allow this change, so being suspicious of the file names, i clicked "no", and got another pop up, of the same kind, from a different dll file, and a different program.

My spyware guard is also telling me that a BHO (Browser Help Object) has been added to my system. The File Location is: C:\WINDOWS\system32\opnnnLfE.dll

I tell it to remove the dll, and it is done successfully, but another message pops up right after that one. This time for mlJArqqO.dll

Here is my HijackThis log, I took a go at analyzing it, and it seems I need to remove the line in 04 that has the program, but I would like to ask for help to make sure.

Advertisements

BHowett

Posted 27 April 2008 - 05:33 PM

BHowett

OT Moderator

Moderator

4,642 posts

Hello and welcome back to Geeks To Go! My name is BHowett and I will be helping you to get sorted. If for any reason you do not understand any of the instructions, or are just unsure then please do not guess , simply post back with your question, and we will go through it again.

The fixes may take several attempts and my replies may take some time but stick with it, and we will be sure to get you sorted.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

Please, never rename Combofix unless instructed.

Close any open browsers.

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".

Click onthis linkto see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

-----------------------------------------------------------

Close any open browsers.

WARNING: Combofix will disconnect your machine from the Internet as soon as it starts

Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.

If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

-----------------------------------------------------------

Double click on combofix.exe & follow the prompts.

When finished, it will produce a report for you.

Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Also, I have started to get this other error, "The instruction 0xXXXXXXX referecned at memory 0xXXXXXXXXX could not be "read" Click OK to terminate the aplication." X is any number, as the address varies. It occurs for many programs, including wauclt.exe and others.

I forgot to mention, before I ran ComboFix. I was browsing the internet, and could not do a search with google. Instead, it took a lot longer than usual, and didn't even perform the search. It just opened a new Firefox browser containing all these ads. However the fix has caused my startup moniter and spyware guard to stop sending me alert messages about those programs trying to register an executable.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.

If an update is found, it will download and install the latest version.

Once the program has loaded, select "Perform Quick Scan", then click Scan.

The scan may take some time to finish,so please be patient.

When the scan is complete, click OK, then Show Results to view the results.

Make sure that everything is checked, and click Remove Selected.

When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)

The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.===============================================

Also, my computer seems to be running normally, I didn't receive any notices of harmful objects trying to run at startup, nor am I getting the memory error. Let's hope this conitnues, because some days are good, while others are horrific. Thank you for helping me thus far.

BHowett

Posted 29 April 2008 - 10:19 AM

BHowett

OT Moderator

Moderator

4,642 posts

I'm glad to hear things are running normal, your logs are looking good so lets get one more scan just to make sure

ATF Cleaner

Please download ATF Cleaner by Atribune.This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.Under Main choose: Select AllClick the Empty Selected button.If you use Firefox browserClick Firefox at the top and choose: Select AllClick the Empty Selected button.NOTE: If you would like to keep your saved passwords, please click No at the prompt.If you use Opera browserClick Opera at the top and choose: Select AllClick the Empty Selected button.NOTE: If you would like to keep your saved passwords, please click No at the prompt.Click Exit on the Main menu to close the program.For Technical Support, double-click the e-mail address located at the bottom of each menu.

Phugga

Posted 01 May 2008 - 03:03 AM

Phugga

Member

Topic Starter

Member

19 posts

Here is my log for the Kaspersky Online san. I read through it, and somethings, such as brutus, (which I use to test password strength) is considered a virus. If it is causing the problems, I will remove it, but I would rather keep it for my own purposes.

BHowett

Posted 01 May 2008 - 06:53 AM

Your log is fine, and you can keep your password tools. All the infections found were found in quarantine and system restore, and we are about to clean them out right now .

ComboFix Removal

Follow these steps to uninstall Combofix and tools used in the removal of malware
[List]

Click START then RUN

Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.

===============================================

Reset your restore points

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(Windows XP)1. Turn off System Restore.On the Desktop, right-click My Computer.Click Properties.Click the System Restore tab.Check Turn off System Restore.Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.On the Desktop, right-click My Computer.Click Properties.Click the System Restore tab.UN-Check *Turn off System Restore*.Click Apply, and then click OK.

===============================================

This is my standard post for when you are clear - which you now are - or seem to be. Please advise me of any problems you still have.

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

1.) Watch what you download!Many freeware programs, and P2P programs like Grokster, Imesh, Kazaa and others are amongst the most notorious, come with an enormous amount of bundled spyware that will eat system resources, slow down your system, clash with other installed software, or just plain crash your browser or even Windows itself. If you insist on using a P2P program, please read This Article written by Mike Healan of Spywareinfo.com fame. It is an updated and comprehensive article that gives in-depth detail about which P2P programs are "safe" to use.

2.) Go to Intenet Explorer > Tools > Windows Update > Product Updates, and install ALL High-Priority Security Updates listed. If you're running Windows XP, that of course includes the Service Pack 2! If you suspect your computer is infected with Malware of any type, we advise you to not install SP2 if you don't already have it. You can post a HijackThis log on our Forums to get free Expert help cleaning your machine. Once you are sure you have a clean system, it is highly recommended to install SP2 to help prevent against future infections.

It's important to always keep current with the latest security fixes from Microsoft.Install those patches for Internet Explorer, and make sure your installation of Java VM is up-to-date. There are some well known security bugs with Microsoft Java VM which are exploited regularly by browser hijackers.

3.) Open Intenet Explorer and go to Internet Options > Security > Internet, then press "Default Level", then OK. Now press "Custom Level." In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".

Now you will be asked whether you want ActiveX objects to be executed and whether you want software to be installed.Sites that you know for sure are above suspicion can be moved to the Trusted Zone in Internet Option > Security.

So why is ActiveX so dangerous that you have to increase the security for it?When your browser runs an activex control, it is running an executable program. It's no different from doubleclicking an exe file on your hard drive.Would you run just any random file downloaded off a web site without knowing what it is and what it does?

It will protect you from most spy/foistware in it's database by blocking installation of their ActiveX objects.

Download and install, download the latest updates, and you'll see a list of all spyware programs covered by the program (NOTE: this is NOT spyware found on your computer) Press "Enable All Protection", and you're done.The spyware that you told Spywareblaster to set the "kill bit" for won't be a hazard to you any longer. Although it won't protect you from every form of spyware known to man, it is a very potent extra layer of protection.Don't forget to check for updates every week or so.

5.) Let's also not forget that Spybot Search & Destroy has the Immunize feature which works roughly the same way. Another feature within Spybot is the TeaTimer option. This option immediately detects known malicious processes wanting to start and terminates them. TeaTimer also detects when something wants to change some critical registry keys and gives you an option to allow them or not.

7.) Another excellent program by Javacool we recommend is SpywareGuard.It provides a degree of real-time protection solution against spyware that is a great addition to SpywareBlaster's protection method.

8.) IE-SPYAD puts over 5000 sites in your restricted zone, so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all. Another good hosts program is mvpshosts. This little program packs a powerful punch as it block ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers. For information on how to download and install, please read this tutorial.

*It is important to note that all of the above programs/files can be run simultaneously on your system. They will work together in layers, so to speak, to help protect your computer. However, the following suggestions are designed to only run one of each. It is not a good idea to run more than one firewall, and one anti-virus program. Running more than one of these at a time can cause system crashes, high system usage and/or conflicts with each other.*

9.)It is critical that you use a firewall to protect your computer from hackers. We don't recommend the firewall that comes built in to Windows. It doesn't block everything that may try to get in, and the entire firewall is written to the registry. As various kinds of malware hack the Registry in order to disable the Windows firewall, it's far preferable to install one of the excellent third party solutions. Three good ones that are freeware to boot are ZoneAlarm, Kerio and Sygate

10.) An Anti-Virus product is a necessity. There are many excellent programs that you can purchase. However, we choose to advocate the use of free programs whenever possible. Some very good and easy-to-use free A/V programs are AVG, Avast, and AntiVir. It's a good idea to set these to receive automatic updates so you are always as fully protected as possible from the newest virus threats.

NOTE: DO NOT install more than one anti-virus program. They will conflict, and provide less protection, not more.

Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.

Phugga

Posted 02 May 2008 - 05:55 AM

Phugga

Member

Topic Starter

Member

19 posts

THANK YOU VERY MUCH. My computer seems to be running fine now, without any problems, (though a bit too slow). I have installed all the programs in your last reply, and hope I will no longer have any more problems with my computer. Again, thank you for helping me.